Healthcare Information Security

Industries

Information Security is essential to the broad utilization of, and confidence in, Electronic Health Records (EHR); and to realizing their promise of quality improvement and cost containment. However, Healthcare Information Security is unique because organizations must:

Not only keep information confidential, but also accurate and always available.

Secure the devices and wireless networks necessary to support mobility requirements.

Manage ePHI (Electronic Protected Health Information) access in a manner that does not impede patient care.

Challenges

Addressing the challenges associated with Healthcare Identity Theft in an increasingly mobile industry.

Managing third-party risk associated with the growing need to share sensitive data with vendors/business associates to achieve business goals, and monitoring business associates to ensure they are compliant with HIPAA.

Ensuring that EHR, the technology necessary to support it, and new policies, standards and procedures required to operationalize it, all ensure that access to ePHI is restricted to those authorized.

It is critical to optimize the scale (e.g., a location, an EMR, a WLAN, an organization) and scope (e.g., HIPAA, OWASP) of the engagement to achieve the specific assurance required.

PHI/PII Security Simplified

Protecting PHI/PII is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information, and on the assets (servers, networks, applications, personnel, facilities) that support these processes.

Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where the information is acted on in your environment.

Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.

EMR/EHR Security Simplified

Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance requirements.

Design Gap Assessment during the Design phase to ensure that the systems design is consistent with the specified requirements.

Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design and that the supporting organizational elements are in place and operating as intended

Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.

Why PPS

Why Partner with Pivot Point Security?

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.

Domain expertise means we know the ins and outs of HIPAA/HITECH, PCI, Sarbanes Oxley and the other regulations you need to comply with. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of Information Security Management Systems.

Healthcare experience means you won’t have to spend time explaining to us why standard password policies can’t be applied in an emergency room, or describing the challenges of updating a 24×7 mission critical environment (akin to painting a moving bus).

Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll value.